What Is Risk-Based Thinking in ISO Standards?

Over the past two decades of working closely with clients in both the manufacturing and service sectors, I’ve witnessed firsthand the transformation that occurs when organizations stop treating compliance as a checklist exercise and start thinking in terms of risk and opportunity. With the 2015 revisions to many ISO standards, particularly ISO 9001, we saw a deliberate shift away from siloed “preventive actions” toward an integrated, strategic approach known as Risk-Based Thinking (RBT). 

This wasn’t just a semantic change. It marked a cultural evolution, an acknowledgment that uncertainty is inherent in every business process, and that success belongs to those who plan for it, not those who simply react to it. RBT has empowered organizations to navigate complexity with greater confidence, embedding foresight into their planning and decision-making at all levels. 

In this article, I’ll draw from real-world consulting experiences across diverse industries to demystify Risk-Based Thinking. We’ll explore what it really means, why it matters, how it supports proactive leadership, and what tools you can use to bring it to life within your own management system. Whether you’re guiding a mature enterprise or a fast-scaling startup, the principles of RBT are not only practical, but they’re also essential.

What Is Risk-Based Thinking (RBT)?

Risk-Based Thinking (RBT) is the proactive approach embedded in ISO standards like ISO 9001:2015, ISO 14001:2015, and ISO 45001:2018. Rather than treating risk as a separate component, RBT integrates it into every facet of an organization’s management system. This shift moves organizations from a reactive stance to a proactive culture, where potential issues are anticipated and addressed before they escalate. 

In my consulting journey, I’ve observed that organizations embracing RBT don’t just prevent problems, they identify opportunities for improvement and innovation. For instance, a manufacturing client leveraged RBT to streamline their supply chain, resulting in reduced lead times and increased customer satisfaction.

How Risk-Based Thinking Supports Proactive Decision-Making:

  • Identifying Potential Risks and Opportunities: By assessing both internal and external factors, organizations can foresee strategic and operational challenges and capitalize on opportunities. 
  • Integrating Risk Assessment into Planning: This ensures that objectives are achievable, and resources are allocated effectively. 
  • Enhancing Stakeholder Confidence: Demonstrating a proactive approach to risk management builds trust among customers, suppliers, and regulators.

A service industry client I worked with implemented RBT in their project management processes. This led to improved project delivery times and a significant reduction in unforeseen issues.

Key Objectives of Risk-Based Thinking:

The primary goals of RBT include: 

  • Enhancing Organizational Resilience: By anticipating potential disruptions, organizations can develop contingency plans. 
  • Promoting Continuous Improvement: Regular risk assessments lead to ongoing enhancements in processes and systems. 
  • Aligning Risk Management with Strategic Objectives: Ensuring that risk considerations are integral to achieving business goals. Read clause 6.1 connected to clause 4.1 and 4.1 per ISO harmonized structure. 
  • Fostering a Culture of Risk Awareness: Encouraging employees at all levels to consider risk in their daily activities. Clause 7.3 drives awareness to employees on how they can contribute to the system.

Practical Application of Risk-Based Thinking:

Implementing RBT involves: 

  1. Contextual Analysis: Understanding the organization’s internal and external environment. 
  2. Risk Identification: Recognizing potential events that could impact objectives. 
  3. Risk Assessment: Evaluating the likelihood and impact of identified risks. 
  4. Risk Treatment: Determining appropriate actions to mitigate or capitalize on risks. 
  5. Monitoring and Review: Continuously tracking risk factors and adjusting strategies accordingly.

Comparison: Preventive Action (Old) vs. RBT (New):

Previously, ISO standards emphasized preventive actions as separate clauses. However, this often led to a checkbox mentality, where organizations implemented measures without truly integrating them into their processes. 

With RBT: 

  • Integration: Risk considerations are embedded throughout the management system. 
  • Proactivity: Organizations anticipate and address potential issues before they occur. 
  • Flexibility: RBT allows for tailored approaches based on the organization’s specific context. 

This evolution encourages a more dynamic and effective approach to risk management. 

Tools & Techniques to Support Risk-Based Thinking:

1. SWOT Analysis (Strengths, Weaknesses, Opportunities, Threats) 

Use: SWOT analysis helps organizations evaluate their internal strengths and weaknesses, alongside external opportunities and threats. It’s particularly useful during strategic planning sessions or when entering new markets or launching new products. 

When to Use: Early in the business planning process or during the review of the organization’s context. 

Clause Alignment: ISO 9001:2015 – Clause 4.1 (Understanding the organization and its context) and Clause 6.1 (Actions to address risks and opportunities). This tool ensures that strategy and quality objectives are grounded in a realistic assessment of the internal and external environment. 

2. Failure Mode and Effects Analysis (FMEA) 

Use: FMEA systematically evaluates potential failure points in a product, process, or system and ranks them by severity, occurrence, and detection. It’s widely used in manufacturing, healthcare, and aerospace sectors. 

When to Use: During product design, process development, or when implementing changes that could introduce new risks. 

Clause Alignment: ISO 9001:2015 – Clause 8.3 (Design and development of products and services) and Clause 6.1 and 8.1. It supports risk-based planning and preventive strategies by analyzing “what could go wrong” and mitigating those risks before implementation. 

3. Risk Registers 

Use: A risk register is a living document that captures identified risks, assesses their likelihood and impact, and outlines mitigation actions and responsible parties. It provides transparency and traceability for risk management activities. 

When to Use: Continuously throughout project lifecycles or operational management, especially in industries like construction, logistics, or IT. 

Clause Alignment: ISO 9001:2015 – Clause 6.1 and Clause 9.1 (Monitoring, measurement, analysis and evaluation). It helps document ongoing risk review processes and links actions to strategic and operational plans. While not a requirement it is beneficial. 

4. Root Cause Analysis (RCA) 

Use: RCA investigates underlying causes of nonconformities, defects, or failures to prevent recurrence rather than just treating symptoms. It’s a staple in corrective action processes. 

When to Use: After incidents, near misses, or nonconformities—often triggered by audit findings or customer complaints. 

Clause Alignment: ISO 9001:2015 – Clause 10.2 (Nonconformity and corrective action). It supports continual improvement by ensuring lessons are learned and corrective actions address the source of problems. 

5. ISO/IEC 31010 – Risk Assessment Techniques 

Use: This standard outlines a variety of risk assessment tools including brainstorming, checklists, fault tree analysis, and bowtie analysis. It offers structured approaches tailored to industry-specific needs. 

When to Use: Depending on organizational maturity, criticality of operations, or regulatory environment. 

Clause Alignment: Supports ISO 9001:2015 – Clause 6.1, as well as clauses in ISO 14001 and ISO 45001 related to risk and opportunity planning. This framework provides flexibility for choosing appropriate methods suited to specific organizational risks. 

These tools, when chosen and applied correctly, don’t just satisfy audit checklists, they cultivate a culture of resilience and foresight. Over the years, I’ve seen organizations evolve by not just using these techniques mechanically, but integrating them into daily decision-making, making risk-based thinking a true operational philosophy rather than a compliance exercise. 

Internal vs External Audits: What Every Business Owner Should Know

The Strategic Importance of Audits for Business Owners

Audits are more than compliance checks; they are strategic tools that provide insights into performance, risk, and improvement opportunities. Engaged business leaders use audit results to drive better decision-making and long-term success. When conducting well, they provide leadership insights into where they may have to re-prioritize or allocate resources, where policies may be in conflict, what may be working well and where the system needs their leadership intervention.

What Are Internal and External Audits?

Internal Audits: Performed by or for the organization to check its own processes. These may be process audits or full system audits.

External Audits: These could be supplier audits (second party) or certification regulatory audits (third party). Third party audits are conducted by a third-party or certification body to verify compliance with standards.

Internal and external audits differ in breadth and depth of the audit based on scope and objective.

Why External Audits Should Be Taken Seriously?

External audits affect certification, reputation, and client confidence. A successful external audit demonstrates credibility and reliability.

Tip: Be prepared, be honest, and see auditors as partners in your improvement journey.

How to Prepare for Both Audits?

  • Keep documentation current
  • Review and close previous findings
  • Train staff on audit processes
  • Conduct mock audits
  • Engage leadership in the audit process

Conclusion:

ISO audit and their findings are not to be feared. They are valuable tools for identifying weaknesses and driving continuous improvement. With the right mindset and preparation, audits can move beyond mere compliance and become a core part of your strategic growth. Organizations that stay audit-ready show that they are not only compliant but also committed to excellence.

Top 10 Common ISO Audit Findings and How to Avoid Them

Importance of Being Audit-Ready:

Audits serve a critical role in verifying that an organization’s processes are aligned with established standards and functioning as intended. Far from being a punitive exercise, audits offer valuable insight into the strengths and weaknesses of a management system.

In my three decades of working with organizations across industries, one universal truth remains. An audit is not a surprise inspection, it’s a mirror. It reflects your organization’s systems, leadership engagement, and cultural commitment to quality and improvement. 

However, many organizations approach audits reactively, preparing only when one is imminent. This mindset often leads to unnecessary stress, inefficiencies, and missed opportunities for improvement. Being audit-ready means that compliance and performance monitoring are built into everyday operations, not treated as one-time events.

When an organization maintains a state of readiness, it reflects a culture of discipline, transparency, and continual improvement. Employees are aware of their responsibilities and of their processes, documentation is up-to-date, and leadership is engaged in the oversight of the system. This proactive approach not only supports successful audit outcomes but also enhances organizational resilience, stakeholder trust, and long-term sustainability.

Understanding ISO Audit Findings: What They Are and Why They Matter:

ISO audit findings are the documented results of an audit. Specifically, they identify areas where an organization’s management system either conforms to or deviates from the requirements of the ISO standard being audited. Findings can range from conformities, to observations (areas for potential improvement), to nonconformities, which indicate a failure to meet a specific requirement.

Audit findings are like diagnostic tools. Much like a physician’s report, they highlight where systems are healthy and where they need attention. Nonconformities, in particular, require careful attention. They are typically classified as minor or major. Left unaddressed, even minor nonconformities can escalate and lead to reputational damage, customer dissatisfaction, or even loss of certification.
In essence, audit findings are not setbacks, they are stepping stones toward improvement.

1. Poor Document Control

Uncontrolled, outdated, or missing documents can quickly lead to findings. Document control is critical for ensuring staff use the correct and current information. Organization can avoid this ISO Audit finding by implementing version control, limiting access to documentation, voiding printed copies of documentation, training employees on document management and regularly reviewing and updating procedures

2. Incomplete or Missing Records

Auditors expect to see evidence that procedures are being followed. If records are absent, it creates doubt about system effectiveness. Was the work really done? Further incomplete records are not able to evidence if the process step was followed as required by the procedure.

Organization can avoid this ISO Audit finding by automating recordkeeping, performing regular record audits, employee awareness and assigning clear ownership for maintaining records

3. Lack of Management Review

Without regular management reviews, there’s no top-level oversight of the system’s performance and alignment with strategic goals. Clause 9.3 of the ISO standards requires these reviews to be done at planned intervals. In some cases the organization may evidence the inputs provided to management but the outputs (decisions and actions) fail to get recorded.

Organizations can avoid this ISO Audit finding by scheduling periodic reviews, using metrics to guide discussions, making sure the leadership participates and documenting decisions and follow-up actions.

4. Ineffective Internal Audits

Weak internal audits fail to uncover problems and leave issues for external auditors to find. This could be caused by  poorly trained and qualified auditors, poor audit planning, using ‘canned’ checklists and a fear of audits and non-conformities causing personnel to hide issues.

Organizations can avoid this ISO Audit finding by training auditors from recognized training providers like QMII, auditing processes and not just documents, closing out internal audit findings promptly.

5. Unclear Roles and Responsibilities

When staff are unsure of their responsibilities, process gaps and accountability issues arise. In companies I have worked with there sometimes arises a confusion from where it is not clear which operator will conduct the task since all have the same job descriptions. 

Organizations can avoid this ISO Audit finding by defining roles and responsibilities in a RACI matrix or in the documented procedure, communicating changes clearly and verifying understanding during onboarding and training.

6. Non-Conformance Not Properly Addressed

Failure to analyze root causes or verify corrective actions can lead to repeat findings. A common cause of this may be a poorly written non-conformity as also a lack of structured root cause analysis training.

Organizations can avoid this ISO Audit finding by following a structured corrective action process, using tools like 5 Whys or Fishbone diagrams and reviewing the effectiveness of corrections

7. Lack of Risk-Based Thinking

ISO standards expect organizations to identify and manage risks proactively. Many still rely too heavily on reactive approaches. In some cases, risks are known, but are not passed up the chain because no structure exists for this to occur. Organizations can avoid this ISO Audit finding by including risk assessments in the planning phase, training staff on risk identification and maintaining a risk register that is updated on a regular basis. 

8. Insufficient Training or Competence

Staff who aren’t trained properly or lack required skills pose a compliance risk. Organizations can avoid this ISO Audit finding by developing and using a skills matrix, providing refresher training, linking training to performance reviews. Once the training is complete organizations must have a process to verify that training resulted in competence. 

9. Failure to Meet Customer or Regulatory Requirements

Not understanding or failing to meet these requirements can lead to major nonconformities. This occurs when organizations do not have a robust process for determining new requirements that may impact them and planning ahead to mitigate the risks. 

Organizations can avoid this ISO Audit finding by reviewing customer contracts and regulations, staying updated on evolving regulations, conducting compliance checks and keeping requirements visible to relevant teams.

10. Lack of Continual Improvement Evidence

Without records of improvement, your ISO system can appear stagnant and ineffective. Organizations can demonstrate to auditors that they meet the intent of continual improvement by trending and tracking KPIs, logging and reviewing improvement initiatives and recognizing and rewarding improvements

How to Retain Auditor Training Knowledge When You Can’t Apply It Immediately 

Completing an auditor training course is an exciting milestone. You walk away with frameworks, methodologies to create checklists, audit question techniques, and—if you’re like most professionals—a head buzzing with new knowledge. Ideally, you’d jump right into an audit and apply your skills, reinforcing what you’ve learned while it’s still fresh. But what if that opportunity doesn’t come right away? 

At QMII, we recognize this common challenge among our alumni. Let’s explore effective strategies to bridge the gap between training and practice—so that knowledge doesn’t fade but instead becomes a solid foundation for your future audit work. 

1. Simulate Real-World Scenarios 

Action: Design mock audits for yourself or with peers. 

Even without access to an organization’s system, you can simulate an audit process by reviewing publicly available quality manuals, environmental reports, or sample procedures including your own. Pretend you’re preparing for an audit: write an audit plan, create checklists, additional documentation you would request and practice conducting document reviews. 

Tip: Use scenarios from your training or past experience and ask yourself: 

  • What would I ask as an auditor? 
  • What evidence would I seek? 
  • What risks could be present? 

2. Start a Learning Journal 

Action: Reflect on key concepts, standards clauses, and audit techniques by writing them down in your own words. 

Journaling isn’t just for reflection, it’s a brain-anchoring technique. When you write out what you remember and how you would apply it, you’re reinforcing neural pathways tied to that knowledge. 

Include: 

  • Summaries of ISO clause requirements. 
  • How you would handle nonconformities. 
  • Sample non-conformities within your organization and write down your assessment of them as also the effectiveness of corrective actions. 

3. Teach Others What You Learned 

Action: Participate in knowledge-sharing sessions. 

There’s no better way to solidify your understanding than teaching others. Reach out to other auditors in your organization and discuss applicability and interpretation of a clause. Participate and contribute to discussions on LinkedIn forums. Search the web for interpretation of clauses and see the differences as opined by various different personnel. 

Bonus: You’re also building your credibility and visibility as an auditor. 

4. Stay Active in the QMII Alumni Network 

Action: Engage with blog articles, LinkedIn posts, ask questions, and share insights. 

QMII’s alumni network offers a treasure trove of experience. Staying engaged keeps you in the loop on best practices and might even lead to mentoring or shadowing opportunities. React to blogs written by QMII, contribute articles for QMII blog, comment on QMII posts and connect to QMII alumni. 

Don’t hesitate to: 

  • Ask others how they’re maintaining their skills. 
  • Request mock audit partnerships. 
  • Share resources and templates you’ve created. 

5. Continue the Learning Loop 

Action: Sign up for webinars, read audit case studies, and revisit your course materials regularly. 

Audit skills are built not just on knowledge, but on judgment, observation, and communication. You can sharpen these even while waiting for your first official audit assignment. 

Suggested activities

  • Attend QMII webinars or ISO updates. 
  • Subscribe to quality-focused newsletters. 
  • Read ISO audit case studies and identify what went wrong—and why. 

6. Request to Observe Internal Audits 

Action: If you’re part of an organization, ask to shadow an experienced auditor. 

Even if you’re not leading, observing an audit helps you internalize the structure, flow, and behavioral nuances of auditing. Jot down observations on auditor behavior, techniques, and interaction styles. Create your own checklists and then compare it to that prepared by the lead auditor. Discuss the differences after the audit. 

If your organization doesn’t have an active program, this is a great opportunity to propose starting one—a value-added initiative from a proactive auditor-in-training. 

Final Thoughts: Don’t Let the Gap Become a Gully 

Skills fade when left idle, but they flourish with even light engagement. Whether it’s through simulation, teaching, journaling, or community interaction, there are numerous ways to keep your audit knowledge sharp and ready. 

At QMII, we believe that continual improvement isn’t just for organizations, it’s a personal practice. Stay connected, stay curious, and keep that audit mindset active until your next assignment arrives. 

Have your own tips for retaining training knowledge? 
Join the conversation by commenting on this blog or drop us a line—we’d love to feature your story! 

ISO 13485: QMS Requirements of Medical Devices for Regulatory Purposes

by Dr. IJ Arora

ISO 13485:2016 is a standard that addresses quality management system requirements for those within the medical device industry. It is based on the systems-based approach found in ISO 9001:2015, but because it emphasizes requirements for regulatory purposes, it does not align with ISO’s harmonized structure (HS). In many ways, ISO 13485 does align with the HS, particularly in the structure and foundational principles of quality management.

The introduction of ISO 13485 explicitly states that the standard is aligned with ISO 9001, and this connection is important for understanding how the two standards relate to each other. I am a bit surprised as to why ISO 13485 isn’t fully harmonized with the HS as defined in Annex SL, which is the specific document within ISO standards that outlines the HS. I believe that if this standard were aligned to the HS, it would make implementation much less laborious for all involved.

The ISO 9001 foundation

The 2015 version of ISO 9001, which is presently under revision, provides a good basis for all standards. As mentioned, ISO 13485 has its roots in ISO 9001, which is why the key QMS principles (e.g., customer focus, leadership, process approach, continual improvement, and evidence-based decision making) central to ISO 9001 are also embedded in ISO 13485.

ISO 13485 includes several core concepts and clauses from ISO 9001. Clause 4 on quality management systems (e.g., structure, documentation requirements, and the scope of the QMS); cause 5 on management responsibility (e.g., top management involvement, resource allocation, and internal audits); and clause 8 relating to measurement, analysis, and improvement (e.g., monitoring, corrective actions, and continual improvement), are just some of these examples.

As I study, teach, consult, and audit using ISO 13485, I wonder why the standard Is not fully harmonized with similar standards as laid out in Annex SL. In consulting, I feel the pain of organizations that must meet regulatory requirements and so tend to overlook the process-based management system (PBMS) approach as the fundamental to the plan-do-check-act (PDCA) cycle. This regulatory focus is one reason why, although ISO 13485 shares many similarities with ISO 9001, it is not fully aligned with the HS. ISO 13485 places a strong emphasis on compliance with regulatory requirements specific to the medical device industry. The standard’s clauses addressing design and development, post-market surveillance, risk management, and traceability requirements are all far more extensive than those found in ISO 9001. Annex SL focuses more on general management practices and less on industry-specific regulatory controls. The detail and specificity required for medical device safety and compliance often necessitates a structure that goes beyond the framework of the HS.

Overcoming differences

Different scopes and audiences are also a consideration in that, while ISO 9001 is a general quality management standard applicable across industries, ISO 13485 is designed specifically for organizations that manufacture medical devices. These organizations must meet stringent regulatory requirements that go beyond what ISO 9001 addresses. Because of this, ISO 13485 requires more detailed processes related to product lifecycle management, post-market activities, risk management, and regulatory controls, which aren’t adequately covered under the more generalized HS. ISO 13485 includes a much stronger emphasis on managing the product’s entire lifecycle, from design and development to post-market activities (e.g., complaint handling and vigilance). Although ISO 9001 mentions product realization, ISO 13485 goes into much greater depth, including extensive requirements for design control and risk management. These elements reflect the higher level of scrutiny needed in the medical device industry, where safety and compliance are paramount.

With that said, I believe that these differences don’t prevent ISO 13485 from being organized according to the HS format. The standard would not only help medical device manufacturers’ management systems conform with specific regulatory requirements but also meet the obligations for continual improvement. After all, registered organizations in the aerospace and automobile industries already do just that via sector-specific management system standards that are harmonized with ISO 9001.

The structural differences in the clauses found in ISO 13485 and the standards adopting the HS are not too far apart. Although ISO 13485 is aligned with ISO 9001, it diverges when it comes to specifics that are unique to the medical device sector and regulatory requirements.

ISO 13485’s clause 7, “Product Realization” includes additional elements, such as design controls and regulatory compliance requirements, that are critical in the medical device industry. Post-market surveillance and complaint handling are central to ISO 13485, but the HS doesn’t go to the level of detail necessary for medical device manufacturers.

ISO 13485 emphasizes the need for continuous monitoring of device performance, even after they are on the market, ensuring any issues are identified and addressed in a timely manner. I believe ISO 9001’s subclause 9.1.2, “Customer Feedback,” can be updated to incorporate this requirement.

Risk management is a vital consideration. ISO 13485 integrates risk management into the standard in a way that is far more structured and pervasive than what is found in ISO 9001. ISO 13485 has a more detailed approach to identifying, assessing, and mitigating risks throughout the lifecycle of medical devices. However, these added requirements could be added to subclause 6.1.1 (““Actions to Address Risks and Opportunities”) or subclause 8.1.1 (“Operation Planning and Control”) found in the HS.

ISO 13485 includes specific requirements for design and development processes, which are critical in medical devices due to their complexity and potential risk to patient safety. The HS doesn’t provide this level of detail for other types of products or industries.

Identifying similarities

Notwithstanding the differences between ISO 13485 and the standards that align with the HS, there are also some key similarities. As with ISO 9001, ISO 13485 is built around seven quality management principles: customer focus, leadership, engagement of people, process approach, improvement, evidence-based decision making, and relationship management. Continual Improvement of the quality management system is part of both standards, emphasizing the need for a strong focus on monitoring, auditing, corrective actions, and reviews. Document control is another similarity. Both ISO 13485 and ISO 9001 stress the importance of clear and accurate documentation to ensure that quality management processes are defined, monitored, and maintained effectively.

In keeping itself separate from the HS, ISO 13485’s clause structure, despite being based on ISO 9001, serves to meet the unique needs of the medical device industry. The decision not to fully harmonize the standard with the structure seen in Annex SL likely stems from the need to ensure a tailored regulatory focus. ISO 13485 is aligned with a variety of regulatory frameworks across different countries and regions (e.g., FDA, EU MDR, TGA, etc.). These regulations require specific processes that go beyond the generic, high-level harmonized framework provided by Annex SL to facilitate combined/ integrated management systems. The structure of ISO 13485 allows for a more detailed, industry-specific approach to product safety, efficacy, risk management, and compliance. Product lifecycle control is an essential part of the medical device industry, and it has a complex lifecycle that includes design controls, manufacturing processes, and post-market activities that require more attention than the HS would provide.

Looking at a few additional clauses reveals that ISO 13485 follows a specific structure that allows it to emphasize the unique aspects of medical device quality management while maintaining consistency with other ISO standards.

For example, Clause 1, “Scope,” is relatively straightforward and outlines the scope of the standard, which is specific to organizations that design, manufacture, and maintain medical devices. The clause also highlights exclusions (for example, aspects not applicable to the organization), which is quite typical in a quality management standard.

Clause 2, “Normative References,” lists the documents referenced within ISO 13485, which is typical for any ISO management system standard. The important point here is that ISO 13485 requires compliance with relevant regulations and standards, particularly those in the medical device sector.

Clause 3, “Terms and Definitions,” is crucial because the terminology in the medical device industry can be very specifically. Definitions clarify terms that might have different meanings in other industries (e.g., what qualifies as a “medical device,” “design verification,” or “post-market surveillance”). This ensures uniformity and understanding across the industry.

Clause 4, “Quality Management System (QMS),” describes the basic requirements for establishing and maintaining a QMS, which is a fundamental aspect of ISO 13485. This clause outlines the need for a quality policy, the establishment of objectives, and the requirement to continually improve the QMS. These are common in all ISO standards but are tailored here to fit the needs of the medical device industry.

Clause 5, “Management Responsibility,” covers executive involvement as a key theme. In ISO 13485, it emphasizes top management’s responsibility for ensuring that quality objectives are met. This clause also requires that management provide resources for quality activities and review the performance of the QMS regularly, ensuring alignment with regulatory requirements and customer needs.

Clause 6, “Resource Management,” could have been aligned to clause 7, “Support,” found in the HS. This clause in ISO 13485 requires the organization to manage resources effectively, which includes personnel training and competence (a critical area in the medical device industry). This ensures that employees have the skills needed to produce safe and effective devices. It also covers infrastructure and the control of the work environment, ensuring that conditions are suitable for maintaining product quality.

Clause 7, “Product Realization,” diverges further from the HS. Product realization in the medical device sector involves the entire lifecycle of the device—from planning, design, development, and manufacturing to service and post-market activities. This clause is extensive and includes requirements for design controls, risk management, validation, and traceability, all of which are critical in the medical device industry. The detailed focus on design and development, verification and validation, and product monitoring ensures that all aspects of a medical device’s journey, from conception to post-market surveillance, are covered.

Clause 8, “Measurement, Analysis, and Improvement,” requires organizations to evaluate the effectiveness of their QMS through regular monitoring, measurement, and audits. It also focuses on corrective and preventive actions (CAPA) to improve quality. Preventive action in the HS has not been thrown out like the proverbial baby with the bath water. It has instead been replaced by requirement to appreciate risk. For medical devices, complaints and nonconformance reporting are key to ensuring ongoing safety and compliance. ISO 13485 could also have gone from preventive action to risk.

Post-market surveillance and vigilance is a requirement of the medical device standard. Unlike many other ISO standards, ISO 13485 places significant emphasis on post-market surveillance, which is the process of monitoring the performance of medical devices once they are in use. This is a major distinguishing factor from other ISO standards. Manufacturers are required to establish processes for post-market feedback, complaint handling, and field safety corrective actions (FSCA), which are essential for identifying and managing risks after the product is on the market.

In conclusion, I would opine and agree that although ISO 13485 is indeed based on ISO 9001, it diverges from the HS identified in Annex SL because the unique needs of the medical device industry—such as regulatory compliance, product lifecycle management, and patient safety—require a more detailed and specialized approach than the HS can provide. The clause structure of ISO 13485 reflects these specific requirements, making it a robust and industry-specific standard that ensures the safety and quality of medical devices while maintaining alignment with the foundational principles of quality management in ISO 9001.

This balance of maintaining core quality principles while addressing the needs of the medical device industry is why ISO 13485 has not fully adopted the HS but instead continues to incorporate elements of ISO 9001 alongside medical-device-specific regulatory needs. That it could still at the least attempt to align the primary clauses as risk to the HS would help all parties involved.

Note – The above article was recently featured in Exemplar Global’s publication called “The Auditor”. Click here to read it.

Are Provider Audits Mandated through ISO 9001?

by- Dr. IJ Arora

In relation to outsourced processes, the query (to paraphrase William Shakespeare) is, “To audit or to not audit?”

Take, as an example, the necessities from the principle process-based control machine usual, ISO 9001:2015. One would possibly imagine the machine way as equipped in clauses 4.4.1a thru 4.4.1h and conclude that tracking and regulate are had to recognize the dangers of the inputs and make sure persistent growth. The usual is supposed to be interpreted, and so not anything prescriptive is predicted. But, the query stays as to how organizations would possibly regulate the processes and ensure they’re assembly goals. Clause 5.2, “Coverage,” resulting in clause 6.2, “Goals,” supplies a touch that proof will have to be amassed of measurable goals being met. But, how can we get the inputs to attract a conclusion? The inputs are essential, and due to this fact there’s a want to decide the to be had accumulate and regulate knowledge.

In all probability the solution may also be discovered within the auditing serve as. By means of enforcing a strong provider analysis activity, together with audits as wanted, organizations can beef up the standard control machine and construct sturdy, dependable relationships with providers. Notice that requirements similar to ISO 9001:2015 don’t particularly mandate audits, but the intent of registration to a typical is to regulate the group’s processes. if now not auditing, then what different mechanisms can organizations use to regulate an outsourced activity and decrease dangers to their finish consumers?

Exerting regulate

Clause 8.4.2 of ISO 9001:2015 offers with the sort and extent of controls that a company should practice to externally equipped processes, merchandise, and products and services. The important thing sides on this dialogue come with making sure conformity, the kinds of controls wanted, and the level of those controls. Conformity has at its core the main to make sure that those exterior provisions don’t negatively have an effect on the group’s skill to constantly ship conforming services to its consumers. This implies the group should have mechanisms in position to make sure that the standard of the exterior inputs meet the group’s necessities and in the end fulfill buyer necessities.

Kinds of controls might be interpreted as acting a point of regulate, in all probability through auditing, even supposing auditing isn’t a selected requirement. The choice and analysis of the controls can be according to organising standards for deciding on and comparing exterior suppliers (e.g., a strong high quality control machine of their very own, previous efficiency, registration, and many others.) and/or undertaking thorough checks of doable providers (e.g., audits, questionnaires, web site visits, and many others.). As well as, you will need to installed position sturdy contractual agreements with exterior providers that come with transparent and measurable necessities, explicit key efficiency signs (KPIs), and acceptance standards for the needs of tracking and size. This may come with monitoring provider efficiency towards agreed-upon KPIs, examining knowledge to spot tendencies and spaces for growth, undertaking common efficiency critiques and comments classes, acting root purpose research and corrective and preventive movements when problems are known, and appreciating dangers through being proactive and the use of preventive measures.

The level of this regulate would rely at the criticality of the externally equipped activity, product, or provider to the group’s general high quality. For top-risk pieces, extra stringent controls (e.g., extra common audits or extra rigorous inspections) could be essential as, as an example, within the aerospace trade. In essence, clause 8.4.2 emphasizes the significance of proactive measures to make sure that exterior inputs don’t compromise the group’s skill to ship high quality services to its consumers.

Auditing supplies most of these inputs if the audit is appropriately deliberate and done. For instance, with approval, this stage of regulate might be completed through far flung cameras or the presence of the group’s inspectors on the provider’s amenities. The purpose is to care for the client focal point (clause 5.1.2) and include a risk-based way. The level of regulate will have to be proportionate to the related dangers. Power growth includes that the group will have to often evaluation and reinforce its processes for exterior controls.

Subsequently, even if clause 8.4 (particularly subclauses 8.4.1, 8.4.2, and eight.4.3) does now not explicitly mandate provider audits, it strongly implies their significance. Subsequently, a robust focal point on regulate should be interpreted. Clause 8.4 emphasizes the want to regulate externally equipped processes, merchandise, and products and services. Auditing is a a very powerful instrument for comparing a provider’s skill to fulfill high quality necessities and care for regulate over their processes.

Mitigating menace

To verify ok menace control, one should imagine if the provider’s efficiency at once impacts the group’s skill to ship high quality merchandise or products and services. Audits assist establish and mitigate doable dangers related to the use of exterior suppliers. Power growth is the most important consequence of auditing and offers precious comments on provider efficiency. This allows the group to spot spaces for growth of their processes and their practices round provider variety and provider control. Subsequently, even if now not strictly mandated, provider audits are extremely really useful for organizations in the hunt for to successfully put into effect ISO 9001 and make sure the standard in their services. The important thing issues can be:

  • Chance-based way. Auditing efforts will have to be desirous about providers that pose the easiest menace to the group’s high quality goals.
  • Number of analysis strategies. Audits are only one manner of provider analysis. Different strategies come with efficiency tracking, comments research, and web site visits.
  • Documentation. Care for transparent documentation of all provider analysis actions, together with audit findings, corrective movements, and growth plans.

When taking into consideration the outsourcing of a activity, the group should assess and decide the factors through which providers are decided on. Via systematic analysis, a company can put into effect a rigorous provider variety activity that comes with:

  • Detailed questionnaires to collect knowledge at the provider’s high quality control machine, processes, and features
  • Reference exams made through contacting earlier consumers to evaluate the provider’s efficiency and reliability
  • On-site visits to watch the provider’s operations and assess their amenities, apparatus, and body of workers
  • A risk-based way matrix to prioritize providers according to the possible impact at the group’s high quality goals

In making plans bids, growing contractual agreements, or different processes involving outsourcing, the next will have to be regarded as:

  • Transparent specs. Outline transparent and measurable necessities for the outsourced services or products.
  • Efficiency metrics. Determine KPIs to trace provider efficiency, similar to on-time supply, defect charges, and buyer delight.
  • Contractual consequences. Come with clauses for non-compliance with contractual tasks, similar to past due deliveries or subpar high quality.

The procedures for tracking and measuring outsourced processes should be nicely idea out and will have to be carried out when tendering a freelance. Consider, including necessities due to this fact is continuously tricky. Imagine the next:

  • Common efficiency evaluation. Behavior common efficiency critiques with providers to trace their efficiency towards agreed-upon KPIs.
  • Knowledge research. Analyze knowledge on provider efficiency, similar to defect charges, supply instances, and buyer proceedings to spot tendencies and spaces for growth.
  • Comments mechanisms. Determine a machine for gathering and examining comments from interior and exterior consumers relating to provider efficiency.

Whether or not a company prefers to audit or use different way of controlling the outsourced activity, a well-thought-out collaboration and verbal exchange plan will have to be made, taking into consideration:

  • Open verbal exchange channels. Care for open and common verbal exchange channels with providers to deal with issues, percentage knowledge, and collaborate on growth tasks.
  • Joint drawback fixing. Paintings collaboratively with providers to spot and unravel problems associated with high quality, supply, or different efficiency issues.

Power growth is integral to any excellent control machine. As a abstract I’d recommend the next:

  • Common critiques and updates. Often evaluation and replace your provider control processes to verify they continue to be efficient and aligned with converting industry wishes.
  • Provider construction. Enforce methods to assist providers reinforce their high quality control programs and function.

By means of enforcing a mixture of those mechanisms, organizations can successfully regulate outsourced processes, decrease dangers, and make sure that they obtain fine quality services from their providers.

Clause 9.2.1 of ISO 9001 does certainly recommend that auditing outsourced processes is excellent follow. This clause states that organizations will have to habits interior audits to guage the effectiveness of the standard control machine. The scope of interior audits generally comprises all related processes and actions inside the group. How this pertains to outsourced processes is the place the requirement turns into open to interpretation. Despite the fact that it does now not explicitly state “provider audits,” the clause means that comparing the effectiveness of processes which might be outsourced is a part of assessing the total effectiveness of the QMS. If the outsourced processes considerably have an effect on the group’s skill to fulfill buyer necessities, then the ones processes will have to be integrated within the scope of interior audits.

Dr. IJ Arora’s article was published in the Exemplar Global Publication “The Auditor”. Click here to read the featured article.

The Baltimore Bridge Collapse—Another Case of a Failed Management System

By – Dr. IJ Arora

Can good management systems make organizations immune to disasters? The Baltimore bridge (or, more precisely, the Francis Scott Key Bridge) collapsed in 2023 because the container vessel MV Dali collided with it. This was a tragedy, perhaps caused by the failure of several management systems, the ship, the port, the state, and whoever else was involved.

The National Transportation Safety Board (NTSB) investigation is ongoing, and will no doubt look at the part played by MV Dali, its crew, and its operator. However, my thought is that MV Dali or other ships plying the waters should have, by simple statistical probability, been considered as risks by the authorities. Between the water channel, the high number of ships sailing in and out regularly, and the bridge itself, there was likely to be an collision someday. Perhaps it was not a matter of if, but when! Therefore, should the bridge have been better designed and made safer based on these known and appreciated risks? After all, not all accidents can be completely avoided, but each tragedy has lessons learned as responsive action. The lessons become the data that drives risk identification and trends, thus making the system proactive. I am sure the NTSB is considering all this. In the meantime, without going into the ongoing investigation, there would seem to be some basics which are common indications of systemic failures. Be it the Titan submersible, or the Boeing management system,  as a subject-matter experts in  process-based management systems, I see a common cause: the failure of the system to  deliver conforming products and services.

In this short article, I want to discuss this bridge collapse in the context of the management system, considering ISO 9001:2015 generically and the requirements of ISO 55001:2024—“Asset management—Vocabulary, overview and principles” specifically. ISO 55001 was first published in 2014. It was developed as a standalone standard for asset management, building upon the principles of ISO 9001 and other relevant standards.

Could simply designing a good system based on the standard have enabled the organization to better assess the associated risks? Perhaps they were assessed, and a bridge allision was considered an extremely low-probability occurrence. If that were the case, the discussion would be on prioritization of risks.

As of the time of this writing (September 2024), the investigation into the Baltimore bridge collapse is still ongoing, and the lawsuits are starting to fly. Although the exact cause of the collapse remains under investigation, we can consider several factors that might have contributed to the incident. MV Dali experienced a series of electrical blackouts before the allision. The implementation of the vessel’s safety management system (SMS, based on the ISM Code) could be a factor. The stability, age, and condition of the bridge are, I am sure, being investigated as a potential contributing factor. Then, there is always human element. There may have been errors on the part of the ship’s crew or the bridge’s operators. Was the SMS designed to support them in such a scenario? What factors may have caused operators at all levels to perhaps not follow requirements and mitigate the risks? The NTSB’s investigation will highlight a detailed analysis of the ship’s navigation systems, the bridge’s structural integrity, and the actions of the individuals involved in this tragedy. Their final report will provide a comprehensive understanding of the incident and may include recommendations to prevent similar occurrences in the future.

However, even at this stage we can agree that bridges in general are national assets. They are valuable infrastructure that provides essential services to communities. Although it is not publicly known whether the state of Maryland specifically implemented ISO 55001 for its bridges, the principles and practices outlined in this standard could have been beneficial in managing the risks associated with the Baltimore bridge. Through the implementation of this standard (and/or ISO 9001), the authorities could have performed:

  • Risk assessments. ISO 55001 requires organizations to conduct regular risk assessments to identify potential threats and vulnerabilities. A thorough assessment of the bridge’s condition, age, and traffic load could have helped identify potential risks and inform maintenance and repair decisions, as could have changes in procedures, protection of navigation channels, and so on.
  • Lifecycle management. The standard emphasizes the importance of managing assets throughout their entire lifecycle, from planning and acquisition to maintenance and disposal. By following ISO 55001, the state could have developed a comprehensive plan for the bridge’s maintenance, upgrades, and eventual replacement.
  • Performance measurements. ISO 55001 requires organizations to establish measurable objectives or key performance indicators (KPIs) to measure the effectiveness of their asset-management activities. This could have helped the state monitor the bridge’s condition and identify any signs of deterioration.
  • Continual improvement. The standard promotes a culture of continual improvement, encouraging organizations to learn from past experiences and make necessary adjustments to their asset-management practices.

It is impossible to say definitively whether ISO 55001 would have prevented the Baltimore bridge collapse. However, the principles and practices outlined in the standard could have helped to reduce the risk inherent in such incidents. By adopting a systematic and proactive approach to asset management, organizations can improve the reliability and safety of their infrastructure. A systematic study must go beyond what the MV Dali contributed to the Baltimore bridge collapse; it is also important to consider the broader context and the potential contributions of other factors:

  • Bridge design and maintenance. The age and condition of the bridge are likely to be factors in the investigation. Older infrastructure may be more susceptible to damage or failure, especially if it has not been adequately maintained or upgraded.
  • Vessel traffic. The frequency and intensity of vessel traffic in the area can also influence the risk of allisions. The bridge is in a busy shipping channel; therefore, the likelihood of incidents was higher.
  • Safety measures. The presence or absence of safety measures such as buoys, warning systems, or restricted areas can also affect the risk of allisions. This needs to be studied and are factors the authorities would know.
  • Human elements and factors. Errors on the part of both the ship’s crew and bridge operators can contribute to accidents. Factors such as fatigue, inexperience, or inadequate training may play a role. What led to these issues? Error proofing, mistake proofing, and failure mode and effects analysis (FMEA) are tools that could be part of the effective management system.

Let us therefore consider ISO 55001 and the relevant clauses of the standard which could apply to the collapse of the Baltimore bridge.

Clause 4—Context of the organization

  • Clause 4.1—Understanding the external context, such as the age of the bridge, traffic volume, and environmental factors, is crucial for risk assessment.
  • Clause 4.2—Identifying the needs and expectations of relevant interested parties, including the public, commuters, and regulatory bodies, is essential for effective asset management.

Clause 6—Planning

  • Clause 6.2.1—The bridge’s asset management plan should have included clear objectives for its maintenance, repair, and replacement.
  • Clause 6.2.2—Specific objectives related to safety, reliability, and cost-effectiveness should have been established.
  • Clause 6.2.3—Detailed planning for maintenance, inspections, and upgrades would have been necessary to ensure the bridge’s structural integrity.

Clause 7—Support

  • Clause 7.1—Adequate resources, including funding, personnel, and expertise, should have been allocated for bridge maintenance and inspection.
  • Clause 7.2—Ensuring that personnel involved in bridge management have the necessary competence and training is essential.
  • Clause 7.3—Raising awareness among all relevant stakeholders about the importance of bridge maintenance and safety is crucial.

Clause 8—Operation and maintenance

  • Clause 8.1—Regular inspections and monitoring of the bridge’s condition would have helped identify potential problems early on.
  • Clause 8.2—A well-defined maintenance schedule, including preventive and corrective maintenance, would have been necessary to address issues before they escalated.

Clause 9—Performance evaluation

  • Clause 9.1—Establishing KPIs to measure the bridge’s performance, such as safety records, traffic flow, and maintenance costs, would have provided valuable insights.
  • Clause 9.2—Regular monitoring and evaluation of these KPIs would have helped identify areas for improvement.

Clause 10—Improvement

  • Clause 10.2—The bridge’s management should have implemented a system for monitoring and measurement, including data collection and analysis.
  • Clause 10.3—Predictive maintenance techniques could have been used to identify potential failures before they occurred.

My objective in writing this article is help demonstrate that by applying the principles of a standard, be it generic ISO 9001 or a more specific standard (as in this case, the asset-management system standard ISO 55001) the organization (in this case the state of Maryland) could have strengthened its asset-management practices and potentially mitigated the risks associated with the Baltimore bridge collapse.

The above article was recently published in the Exemplar Global publication – ‘The Auditor’.

Excellence in Auditing Presented by Dr. IJ Arora for Exemplar Global

“How Auditing Helps Prevent Tragedy,” presented by Dr. IJ Arora with Wendy Edwards (Project Director of Exemplar Global) at the Exemplar Global’s Excellence in Auditing Expo!

Click the link here to understand the critical role auditing plays in averting potential disasters. Whether you’re in risk management, quality assurance, or simply interested in safety and security, this discussion offers valuable perspectives and actionable takeaways.

Link to the Presentation

10 Steps to Safeguard Maritime Property from Cybersecurity Threats

IJ Arora, Ph.D

Cybersecurity threats have become a pressing concern in the modern era due to our lives becoming increasingly dependent on computerization. However, with the convenience of technology comes vulnerability to malicious attacks. The maritime industry, with a growing reliance on technology, faces significant cybersecurity threats. Dr. Jekyll and Mr. Hyde (i.e., good and bad) exist and have always existed. Protecting against cyberattacks is crucial to ensuring the industry’s stability and security.

Understanding cybersecurity in the maritime industry

Cybersecurity in the maritime sector involves safeguarding systems, information, and assets from unauthorized access, disruptions, or manipulations. The industry’s growing reliance on technology, including networks controlling essential functions like navigation and communication, makes it an attractive target for cybercriminals. To maintain business continuity, it is crucial that companies assess their current cybersecurity posture and act to proactively improve it. The maritime industry supports trade and the economy at large, so a cyberattack can have broader consequences beyond just affecting a single vessel or company. For this reason, the intent of the attackers might be broader than simply affecting a specific entity for ransom.

Current challenges in maritime cybersecurity

Before delving into the 10 essential steps to fortify against cyberthreats, it’s crucial to acknowledge the prevalent challenges faced by the maritime industry, which include:

  • Business continuity disruption due to breaches
  • Lack of comprehensive response plans
  • Growing reliance on automation
  • Insufficient awareness
  • Vulnerabilities in cloud computing
  • Rise in phishing and social engineering attacks
  • Internal threats and attacks

Controlling both information technology and operational technology systems is critical to fortifying cybersecurity. Various systems within the small passenger-vessel sector are susceptible to cyberthreats, including bridge systems, access control systems, passenger servicing and management systems, and communication systems.

The 10 steps

When addressing cybersecurity, organizations must consider protecting information itself as well as the asset on which that information is stored. Control of both information technology (IT) and operational technology (OT) systems is critical to fortifying cybersecurity. Additionally, management must consider the confidentiality, integrity, and availability of information and how these three aspects may potentially be compromised.

Step 1: Leadership commitment

Leaders must drive the need for cybersecurity and ensure that it is baked in (not buttoned on) to processes. They need to engage the workforce to contribute to the system. To do this, they can:

  • Appoint a cybersecurity manager to ensure accountability and garner buy-in.
  • Make cybersecurity integral to business processes and consider risks vs. rewards.

Step 2: Use a system framework

Employ the plan, do, check, act (PDCA) cycle as the foundation for a robust cybersecurity approach. This is also the approach prescribed by the Passenger Vessel Association (PVA) safety management system (SMS) framework.

  • Develop and regularly update cybersecurity policies aligning with organizational needs and threat landscape changes.
  • Identify clear roles and responsibilities for all concerned with cybersecurity aspects of the SMS.

Step 3: Contextualize risk

  • Consider the broader context of operations, trade patterns, technology, and legislative factors.
  • Identify stakeholders, online networks, assets, critical components, and business-sensitive information.

Step 4: Risk assessment (3D framework)

Leaving hazards in uncertain states is a drawback for proper risk assessment. It is the responsibility of leadership to convert uncertainty into clearly defined risks within the context of the organization and then prioritize those risks.

  • Organizations must assess hazards in terms of probability, severity, and the likelihood of detection.
  • Risks should be prioritized with consideration given toward confidentiality, integrity, and the availability of information.

Step 5: Build controls into processes

Controls can be split into various categories, including administrative, physical, human, and technological. In some cases one control may suffice, but for the most part a combination of controls must be applied. Identified controls should be implemented based on the feasibility rule, meaning that although they may look good in a vacuum, ease of implementation must be considered. Information security should be a part of everything the organization does—not an add-on. This includes:

  • Implementing technical security controls like firewalls and intrusion-detection systems.
  • Adopting a layered security approach (i.e., “defense in depth”) to effectively mitigate against various threats. This entails creating multiple barriers to prevent access to information—physical, passwords, firewalls, VPNs etc.

Step 6: Maintain basic measures

Basic safety measures are easy to implement and, for the most part, they are cost-effective. This can include cybersecurity awareness training for personnel, physical security, and password security. Below are a few more, although this is not an exhaustive list:

  • Keep hardware and software updated.
  • Enable automated antivirus and anti-malware updates.
  • Limit administrator privileges and control removable media.
  • Avoid public network connections without a VPN.
  • Regularly backup and test information-restoration capabilities.

Step 7: Employee awareness

It is important to make employees aware of the need for good cybersecurity protocols. Employees are often the weakest link in the security chain. Statistics show that almost 36 percent of data breaches are caused by employee negligence. Immediate actions organization can take include:

  • Educate employees on cybersecurity best practices to minimize human error.
  • Train personnel to identify phishing attacks and report incidents promptly.

Step 8: Emergency preparedness

No organization is immune to cyberattacks. It is important to have a plan in place for responding to attacks quickly and effectively. The plan should include steps for mitigating the damage, containing the attack, and investigating the incident. You can use ISO 22301: 2019, “Business continuity,” to develop this plan.

  • Your plan should include comprehensive processes for responding to cyberattacks swiftly and efficiently, including reporting mechanisms.
  • Test and improve your business continuity plan regularly.

Step 9: Assess effectiveness

The check stage of the PDCA cycle is vital to instill confidence in the effectiveness of the organization’s cybersecurity measures.

  • Conduct regular cybersecurity assessments, including third-party evaluations for objectivity.
  • Evaluate assets, vulnerabilities, IT/OT risks, physical access, and breach potentials.

Step 10: Continual improvement

  • Embrace continual improvement through the PDCA cycle to maintain vigilance.
  • Invest in training personnel on cybersecurity standards like ISO 27001.

Conclusion

Taking cybersecurity seriously and implementing these 10 steps can significantly mitigate the risk of cyberattacks. Begin the process by conducting a gap assessment using a qualified person to assess where your system currently stands and what actions need to be taken.

Your action plan should identify risks, gaps, and the controls needed. These controls can easily be integrated into the existing safety management system. Investing in cybersecurity today will better prepare your organization to manage future risks. Leadership involvement is crucial, and these steps serve as a solid foundation to effectively fortify cybersecurity measures.

About the author

Inderjit (IJ) Arora, Ph.D., is the President and CEO of QMII. He serves as a team leader for consulting, advising, auditing, and training regarding management systems. He has conducted many courses for the United States Coast Guard and is a popular speaker at several universities and forums on management systems. Arora is a Master Mariner who holds a Ph.D., a master’s degree, an MBA, and has a 33-year record of achievement in the military, mercantile marine, and civilian industry.

Above article is featured in the following:-

Foghorn Magazine

Exemplar Global Publication “The Auditor”